From 3c9718da3da85fa2044c7685c6f60a9925a2930e Mon Sep 17 00:00:00 2001 From: Owen Smith Date: Mon, 13 Jun 2016 09:33:04 -0400 Subject: [PATCH 1/4] sign: dont convert input buffers to utf8 strings binary payloads would get mangled due to the unnecessary string conversion, which should go the other way around Fixes: https://github.com/brianloveswords/node-jws/issues/50 --- lib/sign-stream.js | 6 +++--- lib/to-buffer.js | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 lib/to-buffer.js diff --git a/lib/sign-stream.js b/lib/sign-stream.js index e24576f..a7bb2d5 100644 --- a/lib/sign-stream.js +++ b/lib/sign-stream.js @@ -3,13 +3,13 @@ var base64url = require('base64url'); var DataStream = require('./data-stream'); var jwa = require('jwa'); var Stream = require('stream'); -var toString = require('./tostring'); +var toBuffer = require('./to-buffer'); var util = require('util'); function jwsSecuredInput(header, payload, encoding) { encoding = encoding || 'utf8'; - var encodedHeader = base64url(toString(header), 'binary'); - var encodedPayload = base64url(toString(payload), encoding); + var encodedHeader = base64url(toBuffer(header)); + var encodedPayload = base64url(toBuffer(payload, encoding)); return util.format('%s.%s', encodedHeader, encodedPayload); } diff --git a/lib/to-buffer.js b/lib/to-buffer.js new file mode 100644 index 0000000..efb9231 --- /dev/null +++ b/lib/to-buffer.js @@ -0,0 +1,19 @@ +'use strict'; + +var Buffer = require('safe-buffer').Buffer; + +module.exports = function toBuffer(val, encoding) { + if (Buffer.isBuffer(val)) { + return val; + } + if (typeof val === 'string') { + return Buffer.from(val, encoding || 'utf8'); + } + if (typeof val === 'number') { + // This won't work for very large or very small numbers, but is consistent + // with previous behaviour at least + val = val.toString(); + return Buffer.from(val, 'utf8'); + } + return Buffer.from(JSON.stringify(val), 'utf8'); +}; From 1364b5963cd680e48f1d10aef491db62cb989be7 Mon Sep 17 00:00:00 2001 From: Owen Smith Date: Wed, 29 Jun 2016 23:39:18 -0400 Subject: [PATCH 2/4] test: add test for buffer payload input --- test/jws.test.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/test/jws.test.js b/test/jws.test.js index 7f53d6f..da725eb 100644 --- a/test/jws.test.js +++ b/test/jws.test.js @@ -330,3 +330,16 @@ test('jws.isValid', function (t) { t.same(jws.isValid(valid), true); t.end(); }); + +test('#50 mangled binary payload', function(t) { + const sig = jws.sign({ + header: { + alg: 'HS256' + }, + payload: new Buffer('TkJyotZe8NFpgdfnmgINqg==', 'base64'), + secret: new Buffer('8NRxgIkVxP8LyyXSL4b1dg==', 'base64') + }); + + t.same(sig, 'eyJhbGciOiJIUzI1NiJ9.TkJyotZe8NFpgdfnmgINqg.9XilaLN_sXqWFtlUCdAlGI85PCEbJZSIQpakyAle-vo'); + t.end(); +}); From 9e4fbe3128a89417c7b827c818248fad4061bc3f Mon Sep 17 00:00:00 2001 From: MMDF Date: Sun, 6 Aug 2017 22:44:56 +0300 Subject: [PATCH 3/4] Fix typo in code example Just put some curly braces as JS doesn't have such syntax (yet). --- readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.md b/readme.md index e4200b8..a67e532 100644 --- a/readme.md +++ b/readme.md @@ -116,9 +116,9 @@ jws.createSign({ }); // is equivilant to this: -const signer = jws.createSign( +const signer = jws.createSign({ header: { alg: 'RS256' }, -); +}); privateKeyStream.pipe(signer.privateKey); payloadStream.pipe(signer.payload); signer.on('done', function(signature) { From 0455ad830487f12c0d7de1ff1e6513d477490046 Mon Sep 17 00:00:00 2001 From: brian-pc Date: Wed, 27 Dec 2017 16:11:03 +0900 Subject: [PATCH 4/4] bugfix for invaild json format --- lib/verify-stream.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/verify-stream.js b/lib/verify-stream.js index d9bfa2b..d815458 100644 --- a/lib/verify-stream.js +++ b/lib/verify-stream.js @@ -68,7 +68,11 @@ function jwsDecode(jwsSig, opts) { var payload = payloadFromJWS(jwsSig); if (header.typ === 'JWT' || opts.json) - payload = JSON.parse(payload, opts.encoding); + try { + payload = JSON.parse(payload, opts.encoding); + } catch(e) { + return null; + } return { header: header,